tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Farb" <>
Subject Role bug in form based login: bug 8607.
Date Sun, 28 Apr 2002 21:00:40 GMT
I have found what I think is a bug in form based login. A user who is in the
user database attempts a valid login, but the role of the user does not
match one of the roles of the protected area. This has been mentioned a
couple of times before in e-mails on this list, but has never been filed as
a bug as far as I can see.

To reproduce:
1.    Install Tomcat 4.0.3 right from the box.
2.    Add the user: <user name="fred" password="flint"
roles="standard,manager"> to the tomcat-users.xml file in conf.
3.    Start tomcat, and access the examples/jsp/security/protected example.
4.    Try to login as tomcat/tomcat. Works fine.
5.    Logout and login as fred/flint and you DON'T get the error page,
instead you get message 403.
6.    All subsequent attempts to login, even with valid tomcat/tomcat ids
get message 404 about j_security_check.

Now I am somewhat of an amatuer on Tomcat, so I am willing to believe it is
a configuration problem, but the only thing I changed was the addition of
the user "fred".

Anyone else have this problem? I could find only one other bug along these
lines, but it didn't seem related.

Others with a similar problem:

From: "Christopher Pennock"
Subject:  FORM login with wrong role gets 404, not error page - bug?
Date:  Tue, 5 Feb 2002 12:21:49 -0500

From: Victoria Einarsson
Subject:  wrong user role => Error 403 instead of redirecting to
Date:  Thu, 10 Jan 2002 11:34:00 +0100

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message